The triple threat

Whilst debt is getting increasing attention within many organisations, the causes are often not fully assessed, and the implications of these deficits are not fully acknowledged.

Technical debt

Technical debt is generally considered to occur as a result of under investment in skills, systems and infrastructure, leading to increased dependency on legacy systems. High levels of integration are needed to support an increasingly complex internal tech landscape, often with little or no architecture, leading to poor design decisions. The complexity increases the cost and risk of updates, upgrades and migrations, reinforcing the mindset of ‘if it ain’t broke don’t fix it’. Leaders believe they don’t have the money or business imperative to make the changes needed. The technology becomes increasingly outdated and unstable.

Culture debt

‘Under investment’ is an oversimplification of the true causes of technical debt. On closer inspection we can see that the causes of the technical debt are due to organisational culture including:

• Delivery at all costs: prioritising speed over any other consideration, including security and often the wellbeing of individuals
• We’ll fix it later: the belief that there will be time/money/inclination to revisit work-arounds and suboptimal decisions at a later date
• It won’t happen to us: over optimism, complacency and insufficient attention to risks including cybersecurity threats, technical failures and loss of key people
• Strategy vs values: many organisations articulate both a strategy and set of values. However, there is often little explanation of how the values will enable the strategy to be realised, or what to do if the two become impossible to reconcile. In this situation, performance measures and targets typically trump values-based decision making and values-driven behaviours and practices
• Limited collaboration: when coordination between internal teams is limited or supplier relationships are poorly managed, collaboration turns to conflict
• Lack of learning and development: organisations which fail to invest appropriately in their people open the door to technical debt. Staff lose motivation, their skills and knowledge are not kept up to date and there is no emphasis on being outward looking or future focused.

Many organisations want to be or to become innovative, but do not put in place the right support, training, processes and behaviours to allow teams to behave in innovative ways or try new things.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Security debt

High levels of technical debt can create the conditions where security risks are more likely to arise, become harder to address, and are more likely to persist. The number of points of vulnerability is higher, and these are unknown or undocumented. Unintentional data losses are more likely, and there is higher potential for external malicious attacks to succeed. As technical debt grows, the cost of maintaining and securing the system also increases. This can lead to limited resources for proactive security measures, causing security debt to further accumulate.

Looking to the future

In recent years, a pattern has emerged where organisations reach a tipping point that compels them to invest in large scale ‘digital transformation’ initiatives. When these are driven from a technical perspective, the underlying cultural causes of the current technical position are often not identified. A major (short term) investment in, for example, moving to a cloud architecture, creates a false impression that ‘the problem will be fixed’. The reality is that ongoing investment in both culture and technology is needed to stay competitive and to stand any chance of success against increasing cybersecurity threats.

Conclusion

Broadening the conversation about technical debt to explore the beliefs and behaviours which have caused it will provide a better basis for the organisation to build on. This almost always traces back to organisational culture. Business analysis has a key role to play in the reduction of cultural, technical and security debt. When we discover legacy systems, complex integrations and a lack of security focus, we need to highlight the processes, policies and behaviours which have contributed to it. We can also bring issues to light via structured approaches including feasibility studies and options analysis. Addressing all three layers of debt is the only way to develop and maintain a modern, efficient and secure organisation.